Closed fmeum closed 1 year ago
readObject calls can directly result in RCE, see https://github.com/frohoff/ysoserial for examples. Since deserialization doesn't call constructors (see https://docs.oracle.com/javase/7/docs/platform/serialization/spec/input.html#2971), we emit a finding right in the readObject method.
readObject calls can directly result in RCE, see https://github.com/frohoff/ysoserial for examples. Since deserialization doesn't call constructors (see https://docs.oracle.com/javase/7/docs/platform/serialization/spec/input.html#2971), we emit a finding right in the readObject method.